REVOKE Statement (Impala 2.0 or higher only)

The REVOKE statement revokes roles or privileges on a specified object from groups. Only
Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For
example, revoking the ALL privilege on a database also revokes the same privilege for all
the tables in that database.

Typically, the object name is an identifier. For URIs, it is a string literal.

The ability to grant or revoke SELECT privilege on specific columns is available
in Impala 2.3 and higher. See
the documentation for Apache Sentry for details.

Required privileges:

Only administrative users (those with ALL privileges on the server, defined in the Sentry
policy file) can use this statement.

Compatibility:

The Impala GRANT and REVOKE statements are available in Impala 2.0 and
higher.

In Impala 1.4 and higher, Impala makes use of any roles and privileges specified by the
GRANT and REVOKE statements in Hive, when your system is configured to
use the Sentry service instead of the file-based policy mechanism.

The Impala GRANT and REVOKE statements do not require the
ROLE keyword to be repeated before each role name, unlike the equivalent Hive
statements.

Currently, each Impala GRANT or REVOKE statement can only grant or
revoke a single privilege to or from a single role.

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories,
therefore no HDFS permissions are required.

Kudu considerations:

Access to Kudu tables must be granted to and revoked from roles as usual.
Only users with ALL privileges on SERVER can create external Kudu tables.
Currently, access to a Kudu table is "all or nothing":
enforced at the table level rather than the column level, and applying to all
SQL operations rather than individual statements such as INSERT.
Because non-SQL APIs can access Kudu data without going through Sentry
authorization, currently the Sentry support is considered preliminary
and subject to change.